Score:0

Using MS Azure to crack password

cn flag

I heard there is a possibility to perform a brute force attack of an password, I know there is an option to use graphic cards on AWS, but is there a solution for Azure too? Which costs would it take to perform such an attack? I know it depends on the performance, time etc., is there some pricing list on how Azure solves this? I cannot find it on google, I only found solutions for AWS.

Maarten Bodewes avatar
in flag
There may be some overlap, but we're not Azure specialists here.
cn flag
@MaartenBodewes well, it comes to bruteforcing task. my PC cant do that on its own, I would need more computational power of few graphic cards...
Eugene Styer avatar
dz flag
The time/cost would also depend on what password hashing algorithm was used
Score:1
kr flag

It depends on many factors.

Let's make some very optimistic assumptions. Suppose the password consists of characters out of 64-character set (64 taken for simlicity, e.g. lower and upper case English letters, digits 0 to 9, and a few special characters). Suppose password has length of 12. If characters chosen randomly, entropy is 6 x 12 = 72 bits. And suppose, again very optimistically, that a simple hash like SHA-256 is sufficient to test a single password. Thus in the worst case you need to compute 272 hashes.

How much can it cost?

Let's look at relatively powerful GPU NVIDIA GeForce RTX 3090, which can compute 121 MH/s. It is ~239 hashes per hour. This GPU consumes 350W, which with optimistically low price 0,1 USD per KWh means 0,035 USD per hour.

For 272 hashes you would need 272 / 239 = 233 ~= 8,600,000,000 hours of such GPU. This will cost you ~300,000,000 USD.

If encryption scheme uses a 128-bit key (which makes no sense to brute-force) which are derived with some algorithm like Argon2 from 12-character password, and its parameters slow you down let say by factor 1,000,000, then your cost will increase by this factor. Means, a 12-character password can cost you 300,000,000,000,000 USD.

The costs of such computing power at MS Azure will be higher, because there are also costs of hardware, cooling systems, personnel, etc.

If you want to brute-force an 8-character password and there is no key derivation used, then after applying the same logic we will get following: Entropy = 6 x 8 = 48 bits. Time needed to brute-force: 248 / 239 = 29 = 512 hours ~= 21 days. Thus, even with a single GPU you can brute-force an 8-character password within 21 days, even without using MS Azure.

TLDR: Even in a relatively simple case without key derivation with 12-characters password the brute-forcing can cost ~300,000,000 USD. And if some further measures taken, e.g. password is longer or a resource hungry key derivation is used, it can cost much more.

hm flag
Note also that these figures have room for more optimism :) - they assume password *generation* worst case (that the password was randomly generated). Most human-generated passwords are much easier to crack (using wordlists, rules, etc). The computation math is still valid, but the password might be cracked much sooner than exhausting the keyspace would require.
kr flag
@RoyceWilliams: Sure, if password is human generated, then it usually has less entropy and makes brute-forcing easier. But now days every password manager has an option to generate password for given criteria (length, character set, etc.). Also some browsers, e.g. FireFox, automatically suggest to generate password for password fields. So human generated passwords become a bit less usual
cn flag
I understand that bruteforcing a long password may be exhausting but my question was more like on which products provide such services? Or what would be the cost of Azure doing a bruteforce attack on 5digit password? Since you can just lend some computation power of many graphic cards put together
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.